Re: sshd constraint violation issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/29/2011 10:38 AM, Daniel J Walsh wrote:
> On 08/29/2011 11:10 AM, Miroslav Grepl wrote:
>> On 08/29/2011 12:52 PM, Christopher J. PeBenito wrote:
>>> On 08/29/11 08:33, Stephen Smalley wrote:
>>>> On Fri, 2011-08-26 at 20:51 +0200, Miroslav Grepl wrote:
>>>>> Together with Dan Walsh, Jan Chadima we made some changes
>>>>> in the openssh package.
>>>>> 
>>>>> But we have the following issue with the following code
>>>>> 
>>>>> ...
>>>>> 
>>>>> if (internal-sftp) setuid() getexecon(&scon) setcon(scon) 
>>>>> freecon(scon)
>>>>> 
>>>>> ...
>>>>> 
>>>>> We have
>>>>> 
>>>>> allow sshd_t unpriv_userdomain:process dyntransition
>>>>> 
>>>>> rule but we get a constraint violation with the following
>>>>> AVC msg
>>>>> 
>>>>> type=AVC msg=audit(1314348650.561:7910): avc:  denied  { 
>>>>> dyntransition } for pid=555 comm="sshd" 
>>>>> scontext=unconfined_u:system_r:sshd_t:s0-s0:c0.c1023 
>>>>> tcontext=staff_u:staff_r:staff_t:s0
>>>>> 
>>>>> because of
>>>>> 
>>>>> constrain process dyntransition ( u1 == u2 and r1 == r2 )
>>>>> 
>>>>> My question is why dyntrans is not allowed to change USER
>>>>> or ROLE.
>>>>> 
>>>>> 
>>>>> https://bugzilla.redhat.com/show_bug.cgi?id=729648
>>>> I think just because we haven't previously had a system
>>>> program using setcon(3) to switch its user/role.
>>> Also because the theory we would be reproducing privilege 
>>> bracketed domains, so you'd be going to a different privilege
>>> in eg httpd_t -> httpd_mycgi_t, and that would not require user
>>> or role changes.
>>> 
>> Ok, I understand. Thanks.
> 
>> Could we add an attribute to break this?
> 
> 
> Or say it is ok for a userdomain?
> 
> 
> -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx 
> https://admin.fedoraproject.org/mailman/listinfo/selinux
> 
> 

onstrain process dyntransition
(
	(u1 == u2 and r1 == r2) or t2 = unpriv_userdomain
);
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk5bpgcACgkQrlYvE4MpobMH5wCeIGOdIP97XmOVHU1nS/EQmLM5
K3kAnjN7w5o7JFd3CB+tEgkh/JE67gmi
=UVh1
-----END PGP SIGNATURE-----
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux